Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Yarn audit failing due to vulnerability in axios 0.19 #605

Closed
tylerlevine opened this issue Jan 6, 2021 · 0 comments · Fixed by #608
Closed

Yarn audit failing due to vulnerability in axios 0.19 #605

tylerlevine opened this issue Jan 6, 2021 · 0 comments · Fixed by #608
Labels
bug

Comments

@tylerlevine
Copy link

Describe the bug
yarn audit shows a high severity vulnerability coming from axios on an install of the latest stellar-sdk version.

To reproduce:

$ yarn init -y && yarn add stellar-sdk && yarn audit
yarn init v1.22.10
warning The yes flag has been set. This will automatically answer yes to all questions, which may have security implications.
success Saved package.json
Done in 0.03s.
yarn add v1.22.10
info No lockfile found.
[1/4] Resolving packages...
warning stellar-sdk > axios@0.19.2: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved lockfile.
success Saved 39 new dependencies.
info Direct dependencies
└─ stellar-sdk@7.0.0
info All dependencies
├─ @types/eventsource@1.1.5
├─ @types/node@14.14.20
├─ @types/randombytes@2.0.0
├─ @types/urijs@1.19.13
├─ axios@0.19.2
├─ base32.js@0.1.0
├─ base64-js@1.5.1
├─ buffer@5.7.1
├─ crc@3.8.0
├─ cursor@0.1.5
├─ debug@3.1.0
├─ detect-node@2.0.4
├─ es6-promise@4.2.8
├─ eventsource@1.0.7
├─ follow-redirects@1.5.10
├─ ieee754@1.2.1
├─ inherits@2.0.4
├─ ini@1.3.8
├─ js-xdr@1.2.0
├─ lodash@4.17.20
├─ long@2.4.0
├─ ms@2.0.0
├─ nan@2.14.2
├─ node-gyp-build@4.2.3
├─ original@1.0.2
├─ querystringify@2.2.0
├─ randombytes@2.1.0
├─ requires-port@1.0.0
├─ safe-buffer@5.2.1
├─ sha.js@2.4.11
├─ sodium-native@2.4.9
├─ stellar-base@4.0.3
├─ stellar-sdk@7.0.0
├─ toml@2.3.6
├─ tslib@1.14.1
├─ tweetnacl@1.0.3
├─ urijs@1.19.5
├─ url-parse@1.4.7
└─ utility-types@3.10.0
Done in 1.64s.
yarn audit v1.22.10
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Server-Side Request Forgery                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.21.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stellar-sdk                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stellar-sdk > axios                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1594                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 40
Severity: 1 High
Done in 1.54s.

What version are you on?
7.0.0

To Reproduce
See above

Expected behavior
Yarn audit does not detect any high severity vulnerabilities.

Additional context
Upgrading axios to >=0.21.1 should be sufficient.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade axios library in response to vulnerability (#605) stellar/js-stellar-sdk
1 participant
@tylerlevine